Cyber insurance product design

We now turn to the models that we have developed to help insurance companies with their risk management problems in cybersecurity. In this section we propose a model to assist insurers with the design of cyber insurance products. The model makes it possible to optimise both price and coverage. The model can be adapted to enable market segmentation and also to allow for dynamic pricing of these products.

This model is designed to help with some of the challenges for insurers that are described in Chapter 1, notably the difficulty surrounding developing and pricing cyber insurance products. This stems in large part from the struggle to accurately assess cybersecurity risk. The use case below describes a situation in which an SME receives insufficient cyber insurance coverage, due to experiencing a cyber attack that has larger than anticipated impacts on third party companies that rely on its products or services.

4.4.1 Use case

During a large DDoS attack by a nation state-sponsored attacker, an SME that provides cloud-based services to several major companies is unable to do so. Since these companies rely on the SME’s cloud-based services for a significant part of their operations, they are also unable to provide services for up to 12 hours. This third party business interruption entails a large financial impact that greatly surpasses the initial risk assessment estimation.

From the perspective of the insurance company, this could be addressed by applying a maximum cap for claims related to cyber incidents. However, from the perspective of the insured company, it is important that it conducts a correct assessment of the impact of a cyber incident on its entire value chain, including third party companies.

4.4.2 Current approaches

We now describe how cyber insurance products are designed at present. Information about the specific algorithms used by insurers in pricing cyber risk is confidential, but we can describe the process in general terms. Sarabia et al. (2007) provide a good overview of the design of insurance products more broadly, and Romanosky et al. (2019) give a detailed descript ion of current practices in the US concerning cyber insurance product design. It is important to note that the decision process is frequently market-driven, in the sense that companies do not want to deviate too much from the prices that their competitors charge.

Cyber insurance product lines are currently limited, the main types of coverage being for cyber attacks, data leaks, forensic investigation costs, business interruption costs, and reputational damage, as described in Chapter 1. Some insurers specialise in specific types of cybersecurity coverage and market segments, in order to minimise the probability of major losses, develop expertise and reputation, and gain cyber insurance market share. For example, an insurer may choose to underwrite limited first party cyber breaches (e.g. hardware and software restoration or legal costs) for homogenous firms (e.g. financial, health, or technology) with a limited number of employees (e.g. less than 1,500) and vendors.

Key decisions for insurers underwriting cyber insurance products surround pricing and level of coverage, including when it comes to which impacts are insured. Some of the potential impacts of cyber attacks are mentioned in the various use cases in this chapter and in Chapter 5. The financial impacts of cyber incidents are described in Eling and Wirfs (2019). A review of business and organisational impacts in cybersecurity, beyond the traditional technical triad of confidentiality, integrity, and availability of information, may be seen in Couce-Vieira et al. (2020a).

The underwriting process

The cyber insurance underwriting process is still evolving and depends on the type of sensitive personal data (e.g. credit card numbers, social security numbers, or health information) and/or business-related data stored by the company, the type of liability to be transferred to the insurer, and the company’s potential losses.

Preliminary information collection

In general, prior to drafting a contract, the insurer conducts a thorough risk assessment of the prospective client using in-house expertise or through a third party company. The first step involves collecting information that allows the insurer to assess the company’s cyber risk profile. Insurers will request information on:

  • • the amount of resources dedicated to information security within the company, e.g. whether the company has a Chief Information Officer and if so, what their primary responsibilities entail:
  • • their information security procedures and to what extent they are enforced;
  • • the security measures in place, such as network segmentation, log monitoring, patch management, and encryption;
  • • the level of employee training on informat ion security and whether there is an awareness campaign within the company, e.g. fake phishing attempts;
  • • their incident response plan and its testing frequency;
  • • their business interruption and recovery plan and its testing frequency;
  • • their procedures for third party vendor management, including the contractual obligations of vendors; and
  • • board-level oversight of cybersecurity policies and reported incidents.

The insurer then uses this information to estimate the probability of the company being breached by a cyber attack and the severity of the breach, given the security control and recovery control measures and procedures in place in the company. They also estimate the impacts on all stakeholders (not just on the company but also on the individuals whose data the company holds), based on specific risk measures.

The process itself

Broadly speaking, the cyber insurance underwriting process involves:

  • • modelling the frequency and severity of cyber losses,
  • • using the estimated models to simulate a joint probability distribution of breach frequency and severity,
  • • converting the breach frequency and severity distributions into monetary value,
  • • quantifying the risk of monetary losses with specific risk measures,
  • • estimating the cost of capital required to finance and administer the insurance policy, and
  • • setting gross premiums for the policy.

Cyber insurance product design Modelling elements

We further describe the modelling aspects: As mentioned previously, cyber insurance underwriters start by modelling the frequency and severity of claims (aggregated claims). To do so, they make widespread use of the loss distribution approach (LDA) and copula-based models, as with other insurance business lines (Awondo, 2019; Eling and Jung, 2018). To use these models to simulate the joint probability distribution of breach frequency and severity, copulas are commonly used to model dependency structures of aggregated claims for each breach type across industries, due to their flexibility in modelling multivariate dependency. If there is sufficient data available, this can be done with a non-parametric estimation of the individual marginal distributions. However, when it comes to cybersecurity, data tends to be limited, so generally expert judgement methods are used instead, as in Couce-Vieira et al. (2020a).

Once the copula and individual marginal distributions are estimated, then the underwriters can simulate the multivariate distribution. The data is converted into monetary value and risk measures such as the value-at-risk (VaR), the conditional value-at-risk (cVaR), or the expected shortfall are used to quantify the risk involved (Rockafellar and Uryasev, 2002; Sklar, 1959). To model losses above a certain threshold, the Generalized Pareto Distribution (GPD) is typically used.

Setting the premium

The gross premium charged for a policy is the sum of the expected loss, also known as the actuarially fair premium. This is made up of a loading cost ij for potentially catastrophic risk, which is usually a function of the tail risk or variance, and a loading cost for the capital required to administer the insurance policy. Insurers typically consider i) as the cost of the investors’ capital required for financing the policy. This estimate depends on how much money the insurer needs to set aside, and for how long, in the event of claims stemming from catastrophic losses. Several different approaches have been proposed for calculating ?; and the preferred choice is case-specific. A comprehensive estimate of rj accounts for inflation, deductibles, policy limits, the cost of the investors’ capital, and reinsurance. As mentioned, the final gross premium charged should be in line with the cost of similar policies sold by competitors. This ensures that the insurer can attract and sustain sufficient demand to significantly reduce the probability of excessive losses and be profitable.

Designing the policy and drafting the contract

To incite insured companies to minimise their risk and reduce moral hazard, insurers typically employ instruments such as co-insurance, deductibles, and caps on insured losses. Important components of the policy design include defining:

  • • exclusions,
  • • when the policy is triggered (often when a claim is made against the insured),
  • • when the insurer has to be notified, and
  • • which forensic, legal, public relations, and crisis management experts will be used following a breach.

With these components in place, the insurer proposes a policy to the client, which the client often further negotiates, and then issues a final version. Finally, the policy is activated and enforced when the client pays the premium and signs the contract.

4.4.3 Model formulation and solution

To solve these challenges, we now present the model we have developed for optimising price and coverage. We then show how it can be adapted to allow for market segmentation and dynamic pricing.

Optimising price and coverage Price

We present an approach to pricing a cyber insurance product for a given client, determining the maximum price that the company would be willing to pay to include an insurance product in his optimal cybersecurity portfolio. Using the methods described in Section 4.3.4, we compute the expected utility и о of the optimal portfolio x*, which can be written concisely as

We make explicit the dependence on the insurance pricing decision through a utility function which includes the price p(i) of the insurance product; i.e. the solution will be x*(p(i.)). Here x = (sec, rec, i) designates a generic portfolio, в encompasses the relevant random variables (nii, ii, tci, tc2, ntc, a, and e), and po is the distribution modelling the relevant uncertainties, including that of the company being attacked. The price p(i) should be in a relevant range [a, 6], where a and b are, respectively, the minimum and maximum prices charged by competitors.

For a given insurance product i that an insurer is interested in selling to a company, we can determine the maximum price p(i) for which the company would include such a product within his optimal cybersecurity portfolio x*. Typically, the product arises within an analysis as described in Section 4.3.4 leading to the determination of the company’s optimal cybersecurity portfolio, which we designate as the “reference portfolio”, based on the initial reference price and coverage. We aim to find the maximum price p(i) that the company would be willing to pay given his organisation profile and features, including his risk profile.

The maximum price p(i) can be determined by searching in a grid of possible prices starting from the reference price and going all the way to the right extreme b (the highest price charged by his competitors). Since for the reference price we know that the optimal portfolio includes the insurance product, we first check whether for the next higher price in the grid the optimal portfolio still includes the insurace product; if so, we move further up the grid until it is not included or we reach b. We can then refine the search within the last interval identified. This gives us the maximum price that the company is willing to pay for an insurance product in his optimal cybersecurity portfolio.

Coverage

We also present an approach to determining the level of coverage of a cyber insurance product for a given client, based on the minimum coverage of impacts that the company would need in order to include the product in his optimal cybersecurity portfolio. We can use a similar approach to that used above. First we specify the dependence ро(9х,с(г)) on the coverage c(i), so that we rewrite (4.3) as

Next we undertake a similar grid search. The coverage c(i) should be in the relevant range [g,h], where g and h are, respectively, the minimum and maximum coverage levels of competitors’ products. We search a grid of possible coverage levels starting from the reference coverage level and going all the way to the left extreme g (the minimum coverage level offered by competitors). We check whether for the next lower coverage level in the grid the optimal portfolio still includes the insurance product, moving further down the grid until it is not included or we reach g. This gives us the minimum coverage level that the company would need to have in order to include the product in his optimal cybersecurity portfolio.

Price and coverage

Finally, we can explore price-coverage Pareto efficient insurance products by combining the two preceding methods to simultaneously optimise price and coverage, determining the maximum price that a company is willing to pay and the minimum level of coverage needed in order to include an insurance product in his optimal cybersecurity portfolio. In this case, the problem can be rewritten as

specifying the dependence of the expected utility (and the optimal cybersecurity portfolio) on both the price and the coverage, with the corresponding feasible ranges being [a, b] and [g, h. One approach would be to start from the reference portfolio and then present several Pareto efficient insurance products for the organisation to choose from.

Market segmentation

We now show how the model can be adapted to enable market segmentation.[1] Market segmentation involves determining clusters of organisations, defined by their organisation profile and features ft and risk aversion coefficient p, that would choose similar cybersecurity portfolios. This brings many benefits for insurers, including facilitating marketing operations. It also streamlines processes for them, as determining a company’s optimal cybersecurity portfolio, including cyber insurance products, as shown in Section 4.3.4 is computationally intensive. Market segmentation partially alleviates this since it means that the calculations can be done once for a large group of similar organisations.

For a set of organisations characterised by their organisation profile and features and risk aversion coefficients {fU, pi}^=1, we can compute the corresponding optimal portfolios x*, using the methods described in Section 4.3.4. Based on this, we can then find the parameters w of a metamodel x* « £(ft,p,w) + e and use f{ft, p, w) to determine the portfolio that the companies would choose. We could implement the approach for the whole portfolio or for parts of it, in particular, for its cyber insurance component.

Dynamic pricing

Finally, we describe how the model can be adapted to allow for the dynamic pricing of cyber insurance.[2] Insurers can make use of a number of businesses that have emerged in recent years to provide cyber risk indicators about an organisation by aggregating information obtained from security information and event management (SIEM) or threat intelligence (TIS) systems. These systems scan the organisation’s IT infrastructure, its security environment, its security posture and, whenever possible, those of its third party suppliers. (Examining the security of an organisation’s third party suppliers is a new field called supply chain risk management or vendor risk management, as described in Torres et al. (2020).)

This makes it possible to define a risk index rn for an organisation over time n and establish a benchmark risk level w so that if rn > w a warning is issued. Sometimes a forecasting model for rn is introduced to facilitate predictive monitoring.

Insurers can use this to develop new cyber insurance products that are priced dynamically. For example, on top of a traditional product they could introduce a discount factor if, after a certain period, the risk indicator does not attain level w. They could also introduce a penalty if the risk indicator reaches level w and the insured company does not implement certain recommendations to improve its cybersecurity.

  • [1] Note that market segmentation is more feasible for SMEs—the main focus of this book—than for largercompanies, as the larger an organisation is the more complex these calculations become.
  • [2] As with market segmentation, this is more practicable for SMEs.
 
Source
< Prev   CONTENTS   Source   Next >